Security Risks Associated with eDellroot Certificate – Dell

Number: AV15-111 - UPDATE
Date: 25 November 2015

Purpose

Following the eDellroot advisory, the purpose of this advisory is to bring attention to recently published security risks associated with another Dell certificate, the DSDTestProvider certificate. The DSDTestProvider certificate is installed on Dell computers by the Dell System Detect (DSD) application. DSD is pre-installed on some Dell systems.

Assessment

Open source reports indicate that some Dell products may have theDSDTestProvider certificate pre-installed. This introduces a potential vulnerability that can be leveraged for malicious purposes.

The DSDTestProvider certificate is a self-signed root CA (certificate authority) certificate. Dell System Detect is an application that runs on Windows-based PC or Tablet and interacts with the Dell Support Website. DSD installs a trusted root certificate (DSDTestProvider) that includes the private key.

Given this vulnerability, a malicious actor could spoof the DSDTestProvider certificate using the private key, possibly allowing malicious files to be inherently trusted. Other common attack scenarios could include a man in the middle attack (MiTM) to decrypt HTTPS traffic and the installation of malicious software.

Suggested Action

CCIRC recommends the following mitigations and work arounds to affected applications accordingly:

  • Verify if your Dell product has the DSDTestProvider certificate installed.
  • Consider revoking the root CA eDellroot certificate in your Dell products using the Windows certificate manager (certmgr.msc). Revoking the certificate helps prevent reinstalling trust if DSN is reinstalled.

References:

Number: AV15-111
Date: 24 November 2015

Purpose

The purpose of this advisory is to bring attention to recently published security risks associated with the eDellroot certificate installed on Dell products.

The eDellroot certificate comes pre-installed on Dell computers or is installed by the Dell Foundation Services application. This certificate was implemented as part of a support tool and intended to make it faster and easier for Dell’s customers to service their system.

Assessment

CCIRC is aware of open source reporting concerning Dell products pre-installed with eDellroot certificate, which introduces a potential vulnerability that can be leveraged for malicious purposes.

The eDellroot certificate is a self-signed root CA (certificate authority) certificate. The private key of the certificate, although marked as non-exportable, can still be extracted with specialized open source tools. Given this vulnerability, a malicious actor could spoof a certificate using the private key, possibly allowing malicious files to be inherently trusted.

Suggested Action

CCIRC recommends the following mitigations and work arounds to affected applications accordingly:

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: